State Privacy Laws Flashcards
State Regulatory Authorities
The lack of a comprehensive federal privacy law increases the power of the states
Marketing Laws
a. Covered by both self-regulation and federal/state laws (CIPP/US Limits on Private Sector Data)
b. Self-regulation is when companies in an organization form a coalition, define standards of conduct, then mutually commit to following those standards and develop an enforcement program to verify to each other and the public that they are doing it.
c. NAI (Network Advertising Initiative) – for those who participate in online advertising, the NAI publishes a code of conduct with detailed requirements including notices of privacy practices, an opt-out option for consumers, and how to provide information on data security, use, and availability. The NAI is one example of an industry self-regulatory framework.
d. The BBB offers a self-regulatory framework for advertising to children
e. Every state as a law protecting consumers against unfair and deceptive trade practices
f. CAN-SPAM provides state AG to bring legal action against violators.
California SB-1
expands upon GLBA. Restricts financial institutions sharing of customer information. Under GLBA financial institutions can share customer information with third parties unless the customer opts-out, SB-1 requires the customer to opt-in. SB-1 also requires that financial institutions must provide a “important privacy notices for consumers” prominently.
Social Security Number (SSN)
The most sensitive information for individuals in the U.S., the digitization of consumer finance has resulted in an increased use of SSNs. Possession of an SSN is widely used as proof of identity. Organizations now need to purse unnecessary stores of SSNs and protect SSNs they still need.
California Electronic Communications Privacy Act (2015)
Requires state law enforcement to get a warrant before they can access electronic information about who we are, where we go, who we know, and what we do.
1. Builds upon the federal electronic communications privacy act. Places restrictions on state law enforcement in two different ways:
o Access to Service Provider Records – requires a search warrant or court order in criminal cases; requires a subpoena in noncriminal cases
o Access to Electronic Devices – requires a search warrant, wiretap order, consent of the customer, or certification of an emergency situation
o CalECPA only applies to California law enforcement agencies, not federal agencies operating in CA
Delaware Online Privacy and Protection Act of 2016 (DOPPA)
Summary:
Requires any website collecting PII must post and comply with the regulation by conspicuous posting (on the homepage or with a link with the word “privacy”. Must be reasonable accessible to users.
o The policy must identify PII collected and third parties whom the site shares PII.
o Disclose handling of “do not track requests”
o Describe policy change notification procedures
eBook providers are prohibited from sharing information about users without appropriate legal process.
Prohibited Advertising to Children – the prohibited categories include alcohol/drugs, firearms or fireworks, tanning, dietary supplements, tanning, lottery/gambling, body modifications, sexual materials
Detail:
Effective January 1, 2016, provides strong online privacy protection for the residents of Delaware. The law grants the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violation of the law.
Three major provisions of DOPPA
o Websites must post privacy policies
o eBook providers must safeguard user information
o Websites targeting children must restrict advertising.
Nevada SB 538 - 2017
Requires website owners to post privacy notices. Applies to any website operators who collect and maintain PII of Nevada residences. Organizations who do not meet this requirement are fined $5,000.
Nevada SB Requirements
o Categories of information and third-party partners
o Describe process to review and correct records, if available
o Describe notification process for policy changes
o Disclosure use of third-party tracking services
o Include an effective date.
Illinois Right to Know Act - 2017
Proposed protections for personal information collected by websites. Failed to reach a vote. Even though it did not pass, it’s noteworthy for the exam to know that it provided the first private right of action to civilians who felt their privacy was harmed by an organization
New Jersey Personal Information and Privacy Protection Act (2017)
Regulates the scanning of identification cards. For the purposes of the law, scanning applies to any type of electronic reading of the card. Retail can only scan cards for 8 purposes:
o Verify the authenticity of the card or identity of card holder
o Verify the age for age-restricted purchases
o Prevent fraud for refunds or exchanges
o Open or manage a credit account or transaction
o Establish or maintain a contractual relationship
o Meet obligations under federal or state law
o Transmit information to a financial institution
o Meet obligations under HIPAA.
• Data for age or authenticity cannot be retained.
• Information retained must be reported.
• Retailers are prohibited from selling and otherwise using this information.
• NJPIPPA includes a private right of action and allows fines of up to $5,000.
Washington Biometric Privacy Law (H.B. 1493) (2017)
Biometrics are an important security control used to protect sensitive data.
1. Biometric Identifier – data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual
2. The law excludes photos, video recordings and audio recordings
3. Enrollment requirements:
o Notice
o Consent
o Mechanism preventing commercial use
4. The law limits sharing biometric information with third parties unless consent, required by law, or to a contracted third-party consistent with the law
5. Maintenance requirements:
o Protect against unauthorized access
o Dispose when not needed
o Only used as disclosed when it was obtained
NYDFS Cyber-security Regulation (2017)
Regulates banks, insurance companies, and other FSI providers operating out of NY. Cybersecurity regulation applies to all covered entities regulated by DFS.
- Requires that all covered entities must implement a risk-based cybersecurity program
- Covered entities must also implement a written cybersecurity policy
- Designate a chief information security officer (CSISO) who provides a written report to the board.
- DFS Cybersecurity Controls
DFS Cyber-security Controls
o Penetration testing o Vulnerability assessment o Audit trail o Access privileges o Application security o Risk assessments o Multi-factor authentication o Encryption o Incident response plan o Secure disposal
California Consumer Privacy Act (CCPA) (2018)
First state-level comprehensive privacy law in the US. Applies broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their person data; and to nondiscrimination on the basis of their exercising any of their CCPA rights.
